The GDPR: Why your organisation needs to conduct DPIAs

DPIAs (data protection impact assessments) help organisations identify, assess and mitigate privacy risks to data processing activities. They are particularly important when introducing new data processes, systems and technologies.

Their objective is to help organisations evaluate the effects a business process might have on individuals’ privacy.

They are also a core component in an organisation’s GDPR (General Data Protection Regulation) compliance practices.

In this blog, we explain when you need to conduct a DPIA and help you understand how you can complete the process.

When are DPIAs necessary?

Article 35 of the GDPR states that a DPIA is required if personal data processing is likely to result in a high risk to the rights and freedoms of data subjects. This includes:

  • Automated decision-making (including profiling) that could significantly affect data subjects;
  • Large-scale processing of special categories of data (relating to race or ethnicity, political opinions, health, etc.); and
  • Systematic large-scale monitoring of public areas.

Data controllers are primarily responsible for conducting DPIAs, but Article 28,3(f) adds that data processors must assist in this process.

Completing a DPIA

We developed a six-step guide to performing a DPIA, which you can find in our DPIA Tool. It states that organisations must complete the following processes:

  1. Process description, containing a questionnaire that prompts users for information about the process in question.
  2. Screening questions that help users work out whether they need to conduct a DPIA.
  3. Consultation questionnaire that prompts users for information about parties they’ve consulted (such as data subjects or their representatives).
  4. Principles questionnaire that prompts users to provide information about the necessity and proportionality of processing.
  5. Privacy risk assessment that gives users the means to identify individual risks to the rights and freedoms of data subjects, including evaluating levels of risks and determining risk responses.
  6. A review, containing a brief questionnaire asking users whether all the relevant tasks have been completed and whether the process is authorised to go ahead.

You can also find advice on these steps in our free green paper: A Concise Guide to Data Protection Impact Assessments (DPIAs).

This guide explains in more detail what a DPIA is, when you need to conduct it and the benefits you’ll receive in addition to GDPR compliance.

Additionally, you’ll also receive tips on how to complete the assessment, and understand when you are required to consult your supervisory authority.

Become a DPIA expert

Those looking to practise the DPIA process should take a look at our Data Protection Impact Assessment (DPIA) Training Workshop.

You’ll learn first-hand how assessments work, as our data protection expert demonstrates the practicalities of developing a DPIA.

We particularly recommend this course for in-house training. You can discuss your individual organisation policies and procedures and use real life examples to bring the DPIA training to life.


A version of this blog was originally published on 2 January 2019.